zc-bug-fix

SUSPICIOUS. The skill’s capabilities broadly match its bug-fix purpose, but it concentrates sensitive ZenTao and GitLab credentials in a local config and forwards them to unreviewed shell scripts that perform networked state changes. No obvious malicious exfiltration or deceptive installer is present, yet the credential handling, private/self-hosted endpoints, and ability to push code and update trackers make the overall risk medium.